Math Analysis
Classic buffer overflow.

Problem

Congratulations, you've graduated from letters! Now, let's move on to numbers.
From the BCA Course Catalog:
Analysis I includes linear and quadratic functions, polynomials, inequalities, functions, exponential and logarithmic functions, conic sections, and geometry.
That's a lot of cool stuff! I think you'll have tons of fun learning about functions in this class!

Solution

This is a classic buffer overflow with a win function.
1
char response[50];
2
​
3
setbuf(stdout, NULL);
4
setbuf(stdin, NULL);
5
setbuf(stderr, NULL);
6
​
7
puts("It's math time, baby!");
8
puts("WOOO I love my numbers and functions and stuff!!");
9
printf("For example, here's a number: %d.\n", cheat);
10
puts("What do you think about that wonderful number?");
11
printf("> ");
12
gets(response);
Copied!
We want to jump here:
1
void cheat() {
2
FILE *fp = fopen("flag.txt", "r");
3
char flag[100];
4
​
5
if (fp == NULL) {
6
puts("Hmmm... I can't find my answers.");
7
puts("That's not good, but at least it means you can't cheat!");
8
puts("[If you are seeing this on the remote server, please contact admin].");
9
exit(1);
10
}
11
​
12
fgets(flag, sizeof(flag), fp);
13
puts(flag);
14
}
Copied!
I've been writing my own tool for challenges like this, and I'm glad it worked! The general steps are still the same, though - using a cyclic pattern to find the RIP offset, then overwriting the return value to the win function.
Using the payload, we get the flag from the remote server.
Copy link